From a463d67c2ff2da6a4322640f6e94d437d3dae0b1 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 5 Apr 2016 13:47:44 -0700 Subject: [PATCH] Fixing formatting --- ...apps-to-protected-list-using-custom-uri.md | 2 +- .../create-edp-policy-using-intune.md | 4 +- .../create-edp-policy-using-sccm.md | 58 +++++++++---------- .../protect-enterprise-data-using-edp.md | 2 +- windows/whats-new/edp-whats-new-overview.md | 4 +- 5 files changed, 32 insertions(+), 38 deletions(-) diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 22cf7aad4d..7a3fe8957c 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -17,7 +17,7 @@ author: eross-msft [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.] -Add multiple apps to your enterprise data protection (EDP) **Protected Apps** list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/?LinkID=691330). +Add multiple apps to your enterprise data protection (EDP) **Protected Apps** list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330). **Important**   Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy. diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index 11c56fd728..3c0bd54506 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -66,7 +66,7 @@ The steps to add your apps are based on the type of app it is; either a Universa **To find the Publisher and Product name values for Microsoft Store apps without installing them** - 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.

+ 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.

**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -325,7 +325,7 @@ After you've decided where your protected apps can access enterprise data on you 2. Click **Save Policy**. ## Related topics --[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) +- [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) - [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) - [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md index 0590682364..89d44090dc 100644 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ b/windows/keep-secure/create-edp-policy-using-sccm.md @@ -1,48 +1,42 @@ --- title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10) description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -ms.assetid: 85B99C20-1319-4AA3-8635-C1A87B244529 +ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: brianlic-msft +author: eross-msft --- # Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager - - **Applies to:** - Windows 10 Insider Preview - Windows 10 Mobile Preview - System Center Configuration Manager (version 1511 or later) -\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.] Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. ## In this topic: +- [Add an EDP policy](#add-an-edp-policy) +- [Choose which apps can access your enterprise data](#choose-which-apps-can-access-your-enterprise-data) -- [Add an EDP policy](#add-edp-policy-sccm) +- [Manage the EDP protection level for your enterprise data](#manage-the-edp-protection-level-for-your-enterprise-data) -- [Choose which apps can access your enterprise data](#choose-apps-sccm) +- [Define your enterprise-managed identity domains](#define-your-enterprise-managed-identity-domains) -- [Manage the EDP protection level for your enterprise data](#protect-level-sccm) +- [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) -- [Define your enterprise-managed identity domains](#define-identity-domain) +- [Choose your optional EDP-related settings](#choose-your-optional-EDP-related-settings) -- [Choose where apps can access enterprise data](#choose-where-apps-sccm) - -- [Choose your optional EDP-related settings](#optional-settings) - -- [Review your configuration choices in the **Summary** screen](#summary-page) - -- [Deploy the EDP policy](#deploy-policy-sccm) - -## Add an EDP policy +- [Review your configuration choices in the **Summary** screen](#review-your-configuration-choices-in-the-summary-screen) +- [Deploy the EDP policy](#deploy-the-edp-policy) +## Add an EDP policy After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy. **To create a configuration item for EDP** @@ -77,7 +71,7 @@ After you’ve installed and set up System Center Configuration Manager for your The **Configure Enterprise Data Protection settings** page appears, where you'll configure your policy for your organization. -## Choose which apps can access your enterprise data +## Choose which apps can access your enterprise data During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps or unprotected network locations. @@ -97,7 +91,7 @@ EDP-aware apps are expected to prevent enterprise data from going to unprotected **To find the Publisher and Product name values for Microsoft Store apps without installing them** - 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. + 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -209,7 +203,7 @@ EDP-aware apps are expected to prevent enterprise data from going to unprotected ![create configuration item wizard, adding a desktop app](images/edp-sccm-adddesktopapp.png) -## Manage the EDP protection level for your enterprise data +## Manage the EDP protection level for your enterprise data After you've added the apps you want to protect with EDP, you'll need to apply an app management mode. @@ -253,7 +247,7 @@ We recommend that you start with **Silent** or **Override** while verifying with ![create configuration item wizard, choosing the app management mode](images/edp-sccm-appmgmt.png) -## Define your enterprise-managed identity domains +## Define your enterprise-managed identity domains Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list. @@ -270,7 +264,7 @@ This list of managed identity domains, along with the primary domain, make up th If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com. -## Choose where apps can access enterprise data +## Choose where apps can access enterprise data After you've added a management level to your protected apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range. @@ -348,7 +342,7 @@ After you've added a management level to your protected apps, you'll need to dec Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the[Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. -## Choose your optional EDP-related settings +## Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. @@ -363,7 +357,7 @@ After you've decided where your protected apps can access enterprise data on you ![create configuration item wizard, choosing additional optional settings for enterprise data protection](images/edp-sccm-optsettings.png) -## Review your configuration choices in the Summary screen +## Review your configuration choices in the Summary screen After you've finished configuring your policy, you can review all of your info on the **Summary** screen. @@ -376,16 +370,16 @@ After you've finished configuring your policy, you can review all of your info o ![create configuration item wizard, reviewing the summary screen before creating the policy](images/edp-sccm-summaryscreen.png) -## Deploy the EDP policy +## Deploy the EDP policy After you’ve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics: -[Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=708224) +[Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224) -[How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/?LinkId=708225) +[How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225) -[How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/?LinkId=708226) +[How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226) ## Next steps @@ -395,11 +389,11 @@ Enrollment can be done for business or personal devices, allowing the devices to ## Related topics -[System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/?LinkId=717372) +[System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/p/?LinkId=717372) -[TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=691623) +[TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623) -[Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/?LinkId=691624) +[Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)   diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md index 8eca7950ff..c1679e75fa 100644 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ b/windows/keep-secure/protect-enterprise-data-using-edp.md @@ -26,7 +26,7 @@ You’ll need this software to run EDP in your enterprise: |Operating system | Management solution | |-----------------|---------------------| -|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager (version 1511 or later)
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [Custom URI - Policy CSP](http://go.microsoft.com/fwlink/?LinkID=733963) documentation.| +|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager (version 1511 or later)
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [Custom URI - Policy CSP](http://go.microsoft.com/fwlink/p/?LinkID=733963) documentation.| ## How EDP works EDP helps address your everyday challenges in the enterprise. Including: diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md index e0d24672a1..a90d1a2c65 100644 --- a/windows/whats-new/edp-whats-new-overview.md +++ b/windows/whats-new/edp-whats-new-overview.md @@ -71,7 +71,7 @@ As a note, your existing line-of-business apps don’t have to change to be incl EDP lets you decide to block, allow overrides, or silently audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and silent just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action. ## Helping prevent accidental data disclosure to public spaces -EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your privileged list), then the document is encrypted locally and not synched it to the user’s personal cloud. Likewise, if other synching apps, like Dropbox™, aren’t on the privileged list, they also won’t be able to sync encrypted files to the user’s personal cloud. +EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your Protected Apps list), then the document is encrypted locally and not synched it to the user’s personal cloud. Likewise, if other synching apps, like Dropbox™, aren’t on the Protected Apps list, they also won’t be able to sync encrypted files to the user’s personal cloud. ## Helping prevent accidental data disclosure to other devices EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device. @@ -80,7 +80,7 @@ EDP helps protect your enterprise data from leaking to other devices while trans EDP can offer a great user experience by not requiring employees to switch between apps to protect corporate data. For example, while checking work emails in Microsoft Outlook, an employee gets a personal message. Instead of having to leave Outlook, both the work and personal messages appear on the screen, side-by-side. ### Using protected apps -Protected apps are allowed to access your enterprise data and will react differently with other non-protected or personal apps. For example, if your EDP-protection mode is set to block, your privileged apps will let the employee copy and paste information between other protected apps, but not with personal apps. Imagine an HR person wants to copy a job description from a protected app to an internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that it couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website and it works without a problem. +Protected apps are allowed to access your enterprise data and will react differently with other non-protected or personal apps. For example, if your EDP-protection mode is set to block, your protected apps will let the employee copy and paste information between other protected apps, but not with personal apps. Imagine an HR person wants to copy a job description from a protected app to an internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that it couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website and it works without a problem. ### Copying or downloading enterprise data Downloading content from a location like SharePoint or a network file share, or an enterprise web location, such as Office365.com automatically determines that the content is enterprise data and is encrypted as such, while it’s stored locally. The same applies to copying enterprise data to something like a USB drive. Because the content is already marked as enterprise data locally, the encryption is persisted on the new device.